| Internet-Draft | Reverse HTTP | July 2023 |
| Schwartz & Reddy | Expires 11 January 2024 | [Page] |
This document defines a secure transport for HTTP in which the client and server roles are reversed. This arrangement improves the origin server's protection from Layer 3 and Layer 4 DDoS attacks when an intermediary is in use. It allows origin server's to be hosted without being publicly accessible but allows the clients to access these servers via an intermediary.¶
This note is to be removed before publishing as an RFC.¶
Status information for this document may be found at https://datatracker.ietf.org/doc/draft-bt-reverse-http/.¶
Discussion of this document takes place on the HTTPBIS Working Group mailing list (mailto:ietf-http-wg@w3.org), which is archived at http://lists.w3.org/Archives/Public/ietf-http-wg/.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 11 January 2024.¶
Copyright (c) 2023 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
The HTTP protocol has long supported the ability of clients to access origins via an intermediary. There are now a variety of well-defined intermediary types:¶
Client-selected¶
Origin-selected¶
Although these intermediaries differ widely in their functionality, they all generally act as a client when connecting to the origin. Client-selected intermediaries reach the origin based on its hostname or IP address specified in the HTTP request, while origin-selected intermediaries first translate this destination into a "backend address".¶
One of the main advantages of origin-selected intermediaries is their ability to defend the origin from attacks, especially Denial of Service (DoS) and Distributed Denial-of-Service (DDoS) attacks in which the attacker floods the origin server with requests or packets. To prevent attackers from simply bypassing the intermediary, common practices include keeping the backend address secret and/or instituting firewall rules that only allow packets from the intermediary. These practices are reasonably effective with origin-selected intermediaries, but they cannot be used with client-selected intermediaries, as those intermediaries do not know the secret backend address, and the origin does not know their "exit" IP addresses.¶
This specification defines a protocol for HTTP connections between origins and arbitrary intermediaries that can limit the impact of Layer 3 and Layer 4 DDoS attacks. When this protocol is in use, origins have the ability to partition the infrastructure that serves each intermediary. This ensures that attacks targeting the origin's public IP address or attacks via one intermediary will not affect any other intermediaries. By partitioning the infrastructure, the impact of the attacks is contained within the affected intermediary or the origin's public IP address.¶
This protocol works by reversing the TLS or QUIC transport that supports the HTTP connection: the origin acts as the transport client, and the intermediary acts as the server. Inside the secure transport, HTTP operates normally, but with the client and server roles reversed.¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.¶
The new protocol is termed "Reverse HTTP". The "Reverse HTTP/2" version is identified by the ALPN ID "h2-reverse", and "Reverse HTTP/3" by "h3-reverse" (see Section 7.1 for registrations). These protocols represent HTTP/2 and HTTP/3, operating with the roles reversed but otherwise unmodified, except as follows:¶
The origin MUST immediately send an ORIGIN frame identifying the origins it claims. This frame is used as originally defined, except that wildcard names are permitted (contrary to Section 2.2 of [RFC8336]).¶
Reverse HTTP/1.1 is not defined, as the lack of multiplexing renders it unsuitable for this use.¶
Once this process has completed, the origin has proved ownership of the Origin Set and is ready to receive requests. The intermediary SHOULD direct subsequent HTTP requests for this origin over this Reverse HTTP channel unless it appears to be overloaded.¶
Transport proxies do not normally act as HTTP clients, so they cannot use Reverse HTTP directly. Instead, if a transport proxy receives a request whose destination host and port appears in the Origin Set, the proxy establishes a transport proxy connection to this origin over the Reverse HTTP connection. For TCP, this corresponds to an HTTP CONNECT request, and for UDP it corresponds to an extended-CONNECT request with the "connect-udp" protocol, using the registered .well-known URI template.¶
Note that transport destinations identified by an IP address can only use this mechanism if the origin's certificate includes that IP address explicitly.¶
For IP relays, the destination does not include a port number. The intermediary MUST add a port number of 443 before attempting to forward packets using this procedure.¶
The HTTP "Via" header can indicate the presence of a client-selected intermediary. If a "Via" header arrives with an unrecognized host, the origin MAY attempt a Reverse HTTP connection for use by future requests from this intermediary. If the intermediary does not confirm the protocol via ALPN, the origin MUST close the connection.¶
Intermediaries that support Reverse HTTP SHOULD indicate this by publishing a SVCB record with port-prefix naming, using the scheme "http-reverse" with a default port of 443. Applicable SvcParamKeys include "alpn", "ipv4hint"/"ipv6hint", "port", and "ech". There is no default ALPN value, so the "alpn" key is REQUIRED.¶
proxy.example.net. IN HTTPS 1 . alpn=h2,h3 ech=ABC..123
_http-reverse.proxy.example.net. IN SVCB 1 proxy.example.net. \
alpn=h2-reverse,h3-reverse ech=ABC..123
Reverse HTTP does not use appreciably more bandwidth or CPU time than ordinary HTTP on active connections. However, it is much less efficient for idle connections, which use memory and other connection-related resources on the intermediary even when no requests are being processed.¶
To accommodate loss of state in firewalls or translators, especially in the absence of application traffic, the origin SHOULD use appropriate transport-level keepalives and MUST re-establish a new connection when application-level communication has failed.¶
Origins backed by multiple servers MAY attempt to establish a separate Reverse HTTP connection from each one in order to tolerate equipment failures and support optimized path selection. However, intermediaries SHOULD limit the number of idle Reverse HTTP connections operated on behalf of each registrable domain, in order to avoid resource exhaustion attacks.¶
For very high-traffic origins and multi-instance intermediaries, a disruption could occur if the intermediary immediately directs all user traffic onto the first Reverse HTTP connection. Very large intermediaries SHOULD ensure that transitions to Reverse HTTP are gradual, so that large origins have time to establish multiple connections.¶
In some cases, an HTTP origin may be intended exclusively for use via one or more client-selected intermediaries that are known to the origin. In this situation, the publication of DNS records for the origin is OPTIONAL.¶
Reverse HTTP is principally intended for use between intermediaries and origins. It is not applicable to general HTTP clients, as it requires the origin to know that the client will issue a request before the request occurs. However, in cases where the HTTP client is publicly reachable and produces frequent requests to one origin over a long period of time, Reverse HTTP may be applicable.¶
As noted in Section 4 of [RFC8336], accepting ORIGIN frames without DNS confirmation facilitates the use of stolen keys, and thus increases the incentive to steal these keys. The mitigations listed in that section also apply here, and are RECOMMENDED. Intermediaries also MAY impose a DNS confirmation requirement, although this weakens the DoS/DDoS defense provided by Reverse HTTP (Section 6.2).¶
QUESTION: Should we do more about this? For example, we could define an OID to mark these certificates as Reverse HTTP-only, or we could commit to an IP range by placing a MAC in a DNS record and revealing the message via a SETTINGS value.¶
One goal of Reverse HTTP is to prevent DoS/DDoS attackers from learning the IP addresses used by the origin to communicate with this intermediary. This IP address can be leaked in various ways, requiring certain mitigations:¶
In the ordinary DNS address records for the origin.¶
In the Proxy-Status HTTP header field's "next-hop" attribute.¶
From the probes sent to intermediaries discovered from the "Via" header field.¶
From connection monitoring of the ALPN values in ClientHellos.¶
From statistical analysis of traffic patterns.¶
Even if the origin's Reverse HTTP IP addresses do leak, Reverse HTTP still provides significant protection by simplifying the firewall rules required to block unsolicited connections.¶
The security considerations for the Oblivious HTTP protocol (Section 8 of [OHTTP]) as well as the security considerations for Discovery of Oblivious Services via Service Binding Records (Section 6 of [OHAI-SVCB]) apply. [CONSISTENCY] provides an analysis of the options for ensuring the key configurations are consistent between different clients. Clients MUST employ some technique to mitigate key targeting attacks. Note that the option of confirming the key with a shared proxy as described in [CONSISTENCY] will work if the Oblivious HTTP relay and the forward proxy operate from a single origin.¶
This document creates two new registrations in the "TLS Application-Layer Protocol Negotiation (ALPN) Protocol IDs" registry [RFC7301]:¶
| Protocol | Identification Sequence | Specification |
|---|---|---|
| Reverse HTTP/2 | 0x68 0x32 0x2d 0x72 0x65 0x76 0x65 0x72 0x73 0x65 ("h2-reverse") | (This document) |
| Reverse HTTP/3 | 0x68 0x33 0x2d 0x72 0x65 0x76 0x65 0x72 0x73 0x65 ("h3-reverse") | (This document) |